Friday, June 5, 2009

I've been spending some time working with Matt Blackband today on issues surrounding imaging Windows 7 disks and RAM. I've got a copy of Windows 7 32bit RC1 installed under VM Fusion with 2 Processors and 2 Gig of RAM allotted to it.

Before I start I just want to point out that although I have quite a bit to do with e-fense on a day to day basis including teaching the use of Helix 2.0, I do not make anything out of the new Helix Pro. This bit of research was just myself and Matt wanting to see whether it worked well under Windows 7 and compared to Helix 2.0. This is NOT an infomercial!

Although there has been alot of talk about exFAT and its uses, Windows 7 installs with NTFS as default and installed very quickly indeed. There have been some concerns and questions over whether our current typical live forensic tools would be able to successfully run and acquire drives and RAM. As Helix is a personal favourite tool and one that I teach, I focused my attention on that.

I loaded the latest Beta 2 version of Helix Pro (Should be released soon) which loaded quickly and successfully. Helix Pro saw the connected drives and partitions and also correctly reported the RAM size. Running the Helix RAM acquisition I was able to acquire 2 Gig of RAM, writing to a shared drive on the host MAC in a little over 2 minutes which is very good indeed. I was then able to successfully run Strings and Foremost to extract text data and carve files respectively. As expected Volatility refused to run and we wait to see if a Vista/7 update is forthcoming?

Disk imaging also worked correctly as expected for making both a RAW and an Encase 6 image, also creating disk and imaging information and checksum PDF's.

One of my favourite aspects of Helix Pro is its lightening fast volatile data acquisition. I was a little dubious that it would work under 7, but work it did, finishing in less than 20 secs and producing a 96 page report! Enjoy reading that!

Helix 2.0, the remaining free offering, as expected, did not fare as well. The GUI fires up OK but you are unable to trigger a command shell from the GUI as no Windows 7 shell exists on the disk, however browsing to /IR/Vista, and opening a Vista cmd file directly and then running cmdenv, did provide a usable shell which enabled me to run binaries on the disk.

System Information worked correctly reporting Owner, Network and Logical disks.

As expected the GUI would not image RAM or Disks although extracting MDD from /IR/RAM to a USB key and running it, successfully imaged the RAM in a little under a minute to the local disk (not recommended in the real world :)).

After some down and dirty testing today it is good to see that Helix Pro is up to the task of working with 7 which I guess makes it a £200 tool worth having in your toolkit. Of course, it will be interesting to see the take up of 7 after the lack-lustre reaction to Vista, but I have to say, even as a hard and fast Mac user, its not too bad. It installed very quickly and just worked out of the box. The interface is clean and simple and programs pop up nice a fast. Could this be a 'good' version of Windows? Time will tell. More research to be done.

Contact details

About Me

I've been working with computers since my ZX81, closely followed by an Oric 1 (if anyone remembers those?). In the past 11 years I've been working in the area of computer forensic investigation and research in both the Law enforcement and Corporate worlds.
I have trained 100's of investigators in the past few years in the area of Live Forensics and RAM Analysis.
Lately I have been working with Law enforcement agencies across Europe and the USA in both an operational and training capacity.

Computer forensics is an evolving science with constantly developing tools and techniques. CSITech, led by Nick Furneaux, is striving to be at the forefront of these developments working on tools and techniques for the collection and analysis of volatile data for both the Law Enforcement and Corporate worlds.